Linux Notes
2019.11.22
Set up OpenConnect server on Ubuntu
A simple note on setting up the OpenConnect server, with HAproxy load balancer enabled.
Get Let's Encrypt certs with HAProxy and Nginx
let's encrypt with haproxy & nginx
I have used Nginx virtual host to get Let’s Encrypt SSL certificates, it’s easy and straightforward. However, when HAProxy was added in front of Nginx, some issues arises. So let’s see how to deal with this.
The problems
Let’s Encrypt authorizes a certificate for a server by requesting a file via an HTTP(S) request. However, HAProxy is not a web server like that Nginx does. It won’t serve files by itself - it will only redirect a request to another server. And the “another server” will configured to Nginx here.
HAProxy setup
When we request a new certificate, Let’s Encrypt will request the authorization file (a URI like /.well-known/acme-challenge/random-hash-here). This request will happen over port 80. Within HAProxy, we need to set an acl if the incoming HTTP request contains the string /.well-known/acme-challenge, and route the request to Nginx (let’s say it’s listening on port 8888).
frontend http_frontend
bind *:80
mode http
tcp-request inspect-delay 10s
# Let's Encrypt certbot path
acl certbot-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt if certbot-acl
backend letsencrypt
mode http
server nginx localhost:8888 check
Reload HAProxy to make the configurations take effect (sudo systemctl reload haproxy).
Nginx setup
Here is the relevant Nginx config:
#/etc/nginx/conf.d/letsencrypt.conf
server {
listen 8888;
listen [::]:8888;
root /var/www/html;
location ~ /.well-known/acme-challenge {
allow all;
}
}
Notice that the default Nginx server should not listening on port 80 since HAProxy will use it.
New certificates
Run the following command to generate new certificates from Let’s Encrypt:
sudo certbot certonly -d demo.example.com \
--non-interactive --agree-tos --email admin@example.com \
--webroot -w /var/www/html
It will put the new certificate files into /etc/letsencrypt/live if everything worked.
Renew certificates
Renew the certs is also easy:
sudo certbot renew -d demo.example.com \
--webroot -w /var/www/html
Okay, this is how to put these three services all together.
THE END
Ads by Google
林宏
Frank Lin
Hey, there! This is Frank Lin (@flinhong), one of the 1.41 billion . This 'inDev. Journal' site holds the exploration of my quirky thoughts and random adventures through life. Hope you enjoy reading and perusing my posts.
YOU MAY ALSO LIKE
Tutorials
2020.01.09
Setup an IKEv2 server with strongSwan
IKEv2, or Internet Key Exchange v2, is a protocol that allows for direct IPSec tunnelling between networks. It is developed by Microsoft and Cisco (primarily) for mobile users, and introduced as an updated version of IKEv1 in 2005. The IKEv2 MOBIKE (Mobility and Multihoming) protocol allows the client to main secure connection despite network switches, such as when leaving a WiFi area for a mobile data area. IKEv2 works on most platforms, and natively supported on some platforms (OS X 10.11+, iOS 9.1+, and Windows 10) with no additional applications necessary.
Linux Notes
2019.11.26
A managed AdBock powered by AdGuard Home with DoH & DoT enabled
AdGuard Home supports all modern DNS encryption protocols, which enable us to setup a secure DNS server with custom AdBlock filters.